Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99353 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41055 invoked from network); 4 Jun 2017 19:02:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jun 2017 19:02:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.178 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.213.178 mail-yb0-f178.google.com Received: from [209.85.213.178] ([209.85.213.178:36255] helo=mail-yb0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/75-12681-A3954395 for ; Sun, 04 Jun 2017 15:02:19 -0400 Received: by mail-yb0-f178.google.com with SMTP id o9so11887438yba.3 for ; Sun, 04 Jun 2017 12:02:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=yN1QoyrYOAj5dUm7G9n0HE42ctsZ10z/dl67g9QbVaE=; b=IOY2ADkoCcYUKthKBEr8SE0bKlKQ34lrB9VImeinMCKbPbwTmHvkgfRUJwfQpj0RIJ 7Ib55ltPX2nCiyZbhvIFmuFrT/BGFPwNeItG88+zmd/b7YGI/25bgg1WZ+kZNQZwR6Nj hQKxfTvIYlZKfG00uh/XSXr3lOiS9Tkd+FYiqtwk1hdtYRyPNelK5RiqrVkbzwKBciG9 73ZfYAXllFIM4Q+VoVgEqVU42t6CKzJenCOFQbKX+KMJpPo7lN9IXJCoH88r1rUlsVGK IcwbAJCqGY9k0lL9sFPEXESVDJO9Imdki5zTRYACnjGJBHQKzyzVcqYAugXPH3Kxt8Gs 29bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=yN1QoyrYOAj5dUm7G9n0HE42ctsZ10z/dl67g9QbVaE=; b=EKjgdyTiSaUgLpg4AkA0f5dr1RPhJF1q9wPuhqAkaGr5X5lN7uK67frv7jj6yLWEcL Zqz2dbsWyCvZwAkv67NZ/YxtJLiD++a8sprR+VUhqLVUqHq3O3hU6tor7BFTL8iYL4ed lTQ/SSPfu4zPIg1YiYq2nEeDm7WKODTUD+tkpv4abEN9pfpl8jHMZrnfFzTEtTChUyT6 iZLM6DqrPf2g3TMUuf8ftw2XVcNG3R4rHGNz9LaaXk6KAgLUxcJ2mUtgjuvUCnntfY1k cIWvoYVnkgsrU55vWPDesNWQE8dN8pXrFG9P2Qt+oXD+QfXWQRZXceJXCUd2SAHxz2q+ J6sw== X-Gm-Message-State: AODbwcBB4qxwgDJCnAlH+HeuWWgvxg79N/3/NsgePXGe6GRCIq8hvWDn p9AjYdc2LaPBau1Llzk+jb0tOQkKgg== X-Received: by 10.37.43.199 with SMTP id r190mr7055529ybr.118.1496602935845; Sun, 04 Jun 2017 12:02:15 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.129.85.151 with HTTP; Sun, 4 Jun 2017 12:02:15 -0700 (PDT) In-Reply-To: <20170604182219.GA6723@gmail.com> References: <20170531101952.GB26690@gmail.com> <20170604182219.GA6723@gmail.com> Date: Sun, 4 Jun 2017 20:02:15 +0100 X-Google-Sender-Auth: ReBXM5FGm6ZxZkTJWihyiJ82iAY Message-ID: To: Jelle van der Waa Cc: php-internals Content-Type: multipart/alternative; boundary="94eb2c1358f45c81970551270639" Subject: Re: [PHP-DEV] [RFC] Add openssl_pkcs7_read and extend openssl_pkcs7_verify From: bukka@php.net (Jakub Zelenka) --94eb2c1358f45c81970551270639 Content-Type: text/plain; charset="UTF-8" On Sun, Jun 4, 2017 at 7:22 PM, Jelle van der Waa wrote: > On 06/04/17 at 07:00pm, Jakub Zelenka wrote: > > On Wed, May 31, 2017 at 11:19 AM, Jelle van der Waa > wrote: > > > > > I would like to propose the addition of openssl_pkcs7_read and > extending > > > openssl_pkcs7_verify to also return a PKCS7 structure. The reasoning > for > > > the addition of these functions is the requirement at work to obtain > the > > > CA certificates usually send along with a signed email. The CA > > > certificates are required for OCSP verification (which is currently > done > > > in pure PHP, I also would like to see this added in PHP in the future). > > > > > > It is currently impossible to acquire the CA certificates with the > > > openssl functions which PHP provides, I've also found a bug report > > > requesting the ability to read a PKCS7 blob. [1] > > > > > > To summarize, I would propose to add an optional parameter to > > > openssl_pkcs7_verify which takes a string that defines the location > > > where the PKCS7 blob should be stored. > > > > > > $pkcs7 = "chain.pk7"; > > > openssl_pkcs7_verify($file, PKCS7_NOVERIFY, $outfile, [], $outfile, > > > $content, $pkcs7); > > > > > > To be able to read the blob, I would propose a new function > > > openssl_pkcs7_read which returns an array of strings containing the PEM > > > certificates in the PKCS7 blob. I've based the naming and behaviour on > > > openssl_pkcs12_read. > > > > > > openssl_pkcs7_read($pkcs7, $data); > > > var_dump($data); > > > > > > I've implemented the above mentioned changes in my fork of PHP, mind > > > that the code isn't ready for a PR yet since there are some styling > > > issues, possible memory leaks and of course missing tests. The code > > > however works as a proof of concept. [2] > > > > > > For further background information, obtaining the pk7 output can be > done > > > with the 'openssl' tool: > > > > > > openssl smime -verify -pk7out -in signed_email.eml > foo.pkcs7 > > > openssl pkcs7 -print_certs -in foo.pkcs7 > > > > > > > > It seems reasonable from the quick look. > > > > I don't think we need RFC unless there are some objections. Once it's > > ready, PR should be enough IMHO. > > Thanks, this is my first contributing a feature to PHP and from reading > the wiki an RFC was the method to introduce new features. > > Offtopic, I also want to later add string based instead of file based > openssl_pkcs7_* functions. Do I need to create an RFC for it? > > First of all, it's really great that you contribute to this so thanks! I think that for changes like this, it's best to first open PR. When the PR is ready and all issues resolved, then it should be announced on this mailing list and then see if there are no objections. If there are not, it should be fine to merge it IMHO. Otherwise if there is no agreement, it probably needs RFC. :) I think that RFC makes sense either when the feature is complex or when people are not in agreement about it. This is of course just my view and others might disagree... :) Cheers Jakub --94eb2c1358f45c81970551270639--